Suspicious File Found On A Windows 2000 Server - nt.exe

R

Robert Robbins

Hello Fellow Network Administrators,

While checking the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry
key for a virus I found an entry for C:\WINNT\nt.exe that looked suspicious.
This was on a Windows 2000 Server with Service Pact 4. I could not find this
file on our other Windows 2000 Servers so it does not look like a system
file. My anti-virus software does not raise a red flag for this file. I
examined the binary code for the file and only found a URL to
http://upx.tsx.org which proved to be the Ultimate Packer for Executables.

Does anyone know what kind of virus this may be? Could the nt.exe file be a
legitimate file?

Robert Robbins
Kolb Net Works
 
R

Robert Robbins

Nope. I don't think so. I later found a suspicious service running: WinVer
Local 2.12 mapped to C:\WINNT\System32\Ntmsce\SvchostVB32.exe. The files in
that directory are for Serv-U FTP Server so it looks like hackers were
planning to use our server for FTP or to upload more malware. Our firewall
is still warning us about port scans from a localhost IP address.

Robert Robbins
Kolb Net Works
 
J

Jim Carlock

You might want to re-evaluate security on your systems.

The nimbda virus is used by folks to give the Everyone
group permissions to everything on your system. There
are free nimbda viral scanners available at Symantec. I
never seem to remember how to spell that... so check out
www.norton.com.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.

Nope. I don't think so. I later found a suspicious service running: WinVer
Local 2.12 mapped to C:\WINNT\System32\Ntmsce\SvchostVB32.exe. The files in
that directory are for Serv-U FTP Server so it looks like hackers were
planning to use our server for FTP or to upload more malware. Our firewall
is still warning us about port scans from a localhost IP address.

Robert Robbins
Kolb Net Works
 
J

Jim Carlock

When I ran into it, I went to Norton to get their tools for
removing. I was hit when I opened an HTML document. It
was a readme.html and it had javascript code in it that opened
another document that contained binary executable images.

Information about it can be found at:

http://securityresponse.symantec.com/avcenter/tools.list.html

It's something that folks will throw onto your system after they've
already got access. The Nimbda links on that link above should
find and identify the files. My virus scanner at the time indicated
that the virus couldn't be removed. I think that was refering to the
fact that once the software is run, the computer is opened up for
anyone to access it. It's been awhile, since I ran into it, and by
default Win2k installs the Everyone group, so just seeing the
Everyone Group there, doesn't necessarily mean you have the
virus. I ended up reinstalling Win2k to fix the problems. Ran
a couple virus scanners and such to get rid of the virii.

There's another online virus scanner that can be used:

www.trendmicro.com

You'll have to click on the online scan links to get it to run.

They have a real nice configuration and some downloadable
trial software as well.

Hope that helps.

--
Jim Carlock
http://www.microcosmotalk.com/
Post replies to the newsgroup.


We have this virus as well, any idea what it is and how to remove it?

thanks
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Suspicious file problem 7
xdelbox 1.5 release,most powerful suspicious files deleting tool 1
Server Hacked - Assessment and Prevention 5
blank value when it should read "value not set" 1
Microsoft Security Center Warning 5
Windows 2000 SP4 Rollup setup error 2
strange safe.w2kserver1.com connections, spyware? 1
Trojan found in Memory.DMP file 1

Top